Dominic Raab announced last week that the current UK lockdown would last for at least another three weeks. These restrictions are unlikely to be relaxed until a large scale plan is in place to track and restrict the spread of the virus. Part of this plan will involve the use of the NHS “contact tracing” app, which we have been told is in an advanced stage of development.  

Public concerns about privacy may be a significant barrier to this technology assisting in the containment of the virus. One of the most significant challenges for the Government, and the bodies advising it, will be ensuring that the public have confidence in the data protection measures underpinning the app.

How contact tracing apps work

The goal of contact tracing is to identify who is infected or potentially infected and determine who they have come into contact with by analysing their movements. It is then possible to alert those people that they need to self-isolate, get tested and watch for symptoms.

Since approximately 80% [1] of the UK population are smartphone users, an app is the quickest and most comprehensive method to gather the data needed and communicate with individuals at risk. An in-app questionnaire could be developed to determine if the user had potentially caught Covid-19. The app would use Bluetooth technology to track those who had been in contact with the individual to the extent that it would put them at risk (for example, if contact was less than two-metre distance for longer than 15 minutes). An alert would then be sent to those who then needed to self-isolate.

The NHSX (the digital innovation unit of the health service), with the advice of academics, epidemiologists, and ethicists from Oxford University, have been developing this software for the UK. Combined with other measures, experts believe that contact tracing software will be critical in controlling the spread of the virus as well as preventing a resurgence of infection once government social restrictions are eventually lifted.

Success or failure depends on take up

An initial, and significant, issue is whether a sufficient number of individuals will download the app. The UK Government has confirmed that at least 60% of the population need to download the app for it to fulfil its purpose. [2] The release of Singapore’s “TraceTogether” app on 20 March highlights this concern. Only 12% of the population installed the app after its release, leading to a resurgence of new coronavirus cases after lockdown restrictions were eased in April. Even now, only 20% of Singapore’s population are signed up. [3]

There are many reasons for such reticence and concerns with respect to privacy, and they should not be discounted. Those that champion contact tracing apps as the answer to strict lockdowns often look to the success of South Korea, a country where the Government controversially used “surveillance footage and credit card transactions” to trace the movements of its citizens. [4]

This raises the question of whether contact tracing apps should be compulsory. In Poland, another country with experience of successful contact tracing, it is mandatory for all individuals infected with the Covid-19 to download the app. [5] However, especially given guidance from the European Commission that apps should remain voluntary, it is unlikely that the UK Government would take such a significant step.

Careful consideration of privacy concerns

The UK Information Commissioner has clearly stated that data protection legislation does not get in the way of innovative use of data in a public health emergency – as long as the core GDPR principles of transparency, fairness and proportionality are applied. [6]

However, there are significant questions about the mass collection of health data which require answers: What type of personal information would be collected? How long would it be stored for? What will this data be used for? How secure will this data be?

In addition, at what point will the health data collected be aggregated to the extent that individuals can no longer be identified? Such anonymised data falls outside data protection legislation. Anonymisation is a fiendishly complex issue given that identification of individuals from a number of disparate data points will always be a highly fact-specific question of degree and distribution of that data.

With respect to personal data, the European Commission recently published an online toolbox [7] to assist EU member states developing contact tracing apps. The toolbox outlines “prerequisites” for the development of such apps based on GDPR principles, including:

  • National health authorities will need to have clearly established accountability for compliance with the GDPR, although the national data protection authorities should be fully involved and consulted.
  • Users must remain in full control of their personal data. Installation of the app should be voluntary and a user should be able to give their consent to each functionality of an app separately. If proximity data is used, it should be stored on an individual's device and only shared with the user's consent.
  • Only personal data that is relevant and limited to the purpose in question can be processed. The Commission considers location data not necessary for the purpose of contact tracing and so should not be used.
  • Timelines for retaining the data should be based on medical relevance as well as the realistic duration for necessary administrative steps to be taken.
  • Data should be stored on an individual's device and encrypted.
  • Users must be able to exercise the full range of rights under the GDPR.

Public confidence in data protection in the UK?  

The success of any contact tracing app in the UK will depend upon allaying inevitable public concern over loss of privacy and data security. Experts warn that any app that does not protect the personal data of users will fail as the public will simply refuse to download and use it. [8]

As recommended by the European Commission, the UK Information Commissioner’s Office, has supported NHSX with both the development of the app and, even more critically, the de-commissioning of the project. As stated by the Information Commissioner:

“Put simply, we will want to see evidence that COVID-19 initiatives do what they intend to do –  that they work in practice, that they are proportionate, that people can access their rights in law, and that there is a plan in place to stand down measures when no longer needed.” [9]

The Information Commissioner has a track record as a robust regulator unafraid to take on big issues. With the support of the pragmatic guidance of the European Commission, the oversight of the project by the Information Commissioner should provide some measure of reassurance to those with privacy concerns.

In the words of European Data Protection Supervisor, Wojciech Wiewiorowski, “big data means big responsibility.” Matt Hancock, the Secretary of State responsible for the implementation of the GDPR in the UK, will no doubt understand the importance of compliance with data protection legislation when introducing centralised, large-scale, data-aggregating software of this type. 

As the Government will be acutely aware, the stakes are high and this is a project worth getting right.